Is it the customers mistake, not know about the spam/adware/spyware ?

Is it not the ISP's duty or policy to prevent spam from entering the mail server?
Yes and no in regards to the customer. Individuals need to realize that the Internet isn't a pleasant place and lots of unfriendly people exist. Only so much can be done by ISPs in regards to adware/spyware. If an individual chooses to visit a site that carries adware/spyware it is at their own risk. Many ISPs hold to the idea that their responsibility is to ensure uptime of the connection and that's it. Beyond that is the customer's responsibility

What do they say by colocated domain ?
Any domains that they host at their site, even if it's your box.

They say that all mails are entered through authentication server, but still i get atleast 45 new spam every day. Does that mean, the authentication server is not functioning properly ?
Depends on what they mean by authentication. If I read it right, it means that the source and destination are legitimate locations rather than meaning the user has logged into the mail server using say Secure SMTP.

Will the firewall catch unsolicited mail or is it not working properly ?
The email policy is I call a CYA policy (Cover Your Ass). If they need to step in and deal with someone they use the policy. Otherwise, they aren't really obligated to stop messages. Check the wording of it. There aren't that many statements that state "We will do such and such". It's more "we may do something". Many ISPs put these in so they can say they have a policy to stop things even if they don't have procedures in place.

Hope that helps clarify somewhat (at least that's my understanding of it -- does anyone else see something I'm perhaps missing?)